In the event of a healthcare data breach, organizations must promptly notify affected individuals, the OCR, and, potentially, the media. Following HIPAA breach notification obligations protects individuals' privacy, fosters transparency, and mitigates the potential consequences of a breach.
The HIPAA breach notification rule, as defined in 45 CFR §§ 164.400-414, mandates that covered entities report breaches of unsecured electronic protected health information (ePHI) and physical copies of PHI. A breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by HIPAA rules.
It's important to note that an impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the covered entity or business associate can demonstrate a low probability of compromise through a risk assessment.
Go deeper:
HIPAA breaches can occur in various ways, including unauthorized access by employees or third parties, improper disclosures, exposure of PHI, and even ransomware attacks. However, there are exceptions to HIPAA breach notifications.
These exceptions include unintentional acquisition, access, or use of PHI by authorized individuals acting in good faith, inadvertent disclosures within the organization, and disclosures made with good faith belief that the recipient could not have retained the information.
Read more: Exceptions to HIPAA breach notifications rules
In the event of a reportable HIPAA breach, covered entities have specific obligations to fulfill:
Covered entities must notify individuals impacted by the breach, and those believed to have been affected. Breach notification letters should be sent within 60 days of the breach discovery, unless state law requires a shorter timeframe or law enforcement requests a delay. These letters should be sent via first-class mail to the last known address of breach victims, or by email if individuals have authorized electronic communication.
Notification letters should be written in plain language and provide a clear explanation of what happened, what information was exposed or stolen, steps taken to mitigate harm, actions to prevent future breaches, and instructions for limiting harm. Additionally, breach victims should be provided with a toll-free number, postal address, and email address to contact the breached entity for further information.
Covered entities must also notify the Secretary of HHS through the Office for Civil Rights (OCR) breach reporting tool. The timeframe for notifying HHS varies based on the number of individuals impacted by the breach.
For breaches affecting more than 500 individuals, the notification must be made within 60 days of the breach discovery. For breaches impacting fewer than 500 individuals, the notification should be made by the end of the calendar year in which the breach was discovered.
Another HIPAA breach notification rule requirement is to issue a notice to the media. If the breach impacts more than 500 individuals, covered entities must report it to prominent media outlets in the states and jurisdictions where the breach victims reside. This helps ensure that breach victims are made aware of the potential exposure of their sensitive information. The media notification should be issued within 60 days of the breach discovery.
In certain situations, covered entities have additional breach notification obligations. These obligations include:
If contact information for 10 or more individuals impacted by the breach is not up-to-date, the covered entity must upload a substitute breach notice to their website. This notice should be prominently displayed on the home page and remain accessible for 90 consecutive days. Alternatively, if fewer than 10 individuals' contact information is not up-to-date, alternative means such as written notices or telephone notifications can be used.
Business associates, as defined by HIPAA, are also responsible for reporting breaches of unsecured PHI to the covered entity. Business associates must report any security incidents to the covered entity promptly, whether or not the incident results in a data breach. The covered entity is then responsible for determining if the breach is notifiable and fulfilling the breach notification requirements.
Read also: What does it mean to be a business associate?
While HIPAA sets the federal standard for breach notification, individual states also have their own breach notification laws. These state laws may be stricter than HIPAA and impose additional requirements on covered entities and business associates. Organizations must be aware of and comply with both HIPAA and state breach notification laws to avoid potential penalties.
In the event of a healthcare data breach, organizations must take prompt action to investigate and mitigate the breach. This includes identifying the cause of the breach, securing affected systems, and implementing measures to prevent future breaches. It is necessary to follow the breach response plan developed by the covered entity and involve necessary personnel, such as privacy officers and legal counsel, to ensure compliance with HIPAA requirements.
See also: HIPAA Compliant Email: The Definitive Guide
Sentara Hospitals settled a case with OCR for $2.175 million over HIPAA violations, including mailing protected health information (PHI) to 577 patients without authorization and failing to report the breach promptly. The incident proves the need to comply with HIPAA breach notification requirements.
Sentara's failure to recognize its obligations and establish proper agreements with its parent corporation reiterates the need for healthcare entities to understand and fulfill HIPAA obligations. OCR Director Roger Severino stressed the significance of timely breach reporting to protect patient privacy stating “HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.”
Identifying a HIPAA breach involves recognizing any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Monitoring access logs, conducting regular security assessments, and promptly investigating any suspicious incidents are steps in identifying potential breaches. Early detection enables prompt action to mitigate harm and fulfill reporting requirements under HIPAA regulations.
Individuals who believe their PHI has been breached should promptly report the incident to the covered entity or business associate responsible for it. They should also monitor their financial accounts and medical records for any signs of fraudulent activity.
The penalties for HIPAA violations can vary depending on the severity and circumstances of the violation. Civil monetary penalties can range from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million for all violations of an identical provision. However, penalties can be higher for cases involving willful neglect. They can include criminal charges, which may result in fines of up to $250,000 and imprisonment for up to 10 years for the most severe violations.
Yes, covered entities can be held liable for HIPAA breaches caused by their business associates if the business associate was acting within the scope of their agreement with the covered entity at the time of the breach.
A HIPAA breach involves the unauthorized disclosure of PHI, triggering notification requirements, while a HIPAA violation encompasses any failure to comply with HIPAA regulations, whether or not it leads to a breach. Both breaches and violations can result in penalties, but the severity of the consequences may vary depending on the nature and extent of the non-compliance.